EyeMed Vision Care, a leading provider of vision benefits, recently concluded a multistate investigation into a severe data breach with a $2.5 million settlement, announced by New Jersey’s Attorney General, Matthew J. Platkin. The breach, affecting the personal and medical data of roughly 2.1 million individuals, was investigated collaboratively by New Jersey, Oregon, Florida, and Pennsylvania, highlighting that over 52,000 New Jersey residents were among the affected.
The root cause of this settlement lies in EyeMed’s failures regarding data security procedures, a factor that significantly contributed to the breach. The company’s shortcomings violated state consumer protection laws, personal information protection laws, and the federal Health Insurance Portability and Accountability Act (HIPAA). A critical failure identified was the use of a single shared password by several EyeMed employees for an email account brimming with sensitive client information related to vision benefits enrollment and coverage.
This lapse allowed unauthorized access to EyeMed’s inadequately secured email account in June 2020, resulting in the exposure of about six years’ worth of personal and medical data. The details unearthed in this breach included names, Social Security numbers, contact information, vision insurance account details, and medical diagnoses and treatment information. To compound the damage, approximately 2,000 phishing emails were dispatched from the compromised account post-breach.
Expressing the severity of the breach, New Jersey Attorney General Platkin stated, “New Jerseyans trusted EyeMed with their vision care and their personal information, only to have that trust shattered by the company’s lax security measures.” He underscored that this settlement goes beyond a financial penalty, necessitating EyeMed to significantly alter its practices to better safeguard patient data.
As per the terms of the settlement, EyeMed is now obliged to enhance privacy and security measures to protect consumer information more effectively. This involves adherence to state and federal laws, creation and upkeep of a written Information Security Program, immediate reporting of all data breaches, and establishing controls to regulate access to sensitive data. Additionally, EyeMed is to designate an executive or officer to supervise the security program.
This recent $2.5 million settlement follows in the wake of EyeMed’s earlier legal issues concerning similar data breaches. Previously, the company had agreed to a $600,000 penalty in a settlement with the Office of the New York Attorney General over the same data breach. New York Attorney General Letitia James underscored the scope of the breach, stating that it had compromised nearly 2.1 million consumers, including approximately 100,000 New Yorkers. Following the agreement with the New York Attorney General, EyeMed was compelled to adopt measures to secure consumers’ personal data against potential cyber threats, ranging from the establishment of a comprehensive information security program to the implementation of appropriate logging and conducting penetration testing.
EyeMed’s legal predicaments extended beyond the New York Attorney General settlement. In October 2022, in agreement with the New York Department of Financial Services (NYDFS), EyeMed consented to a $4.5 million settlement to address alleged violations of the NYDFS’s cybersecurity regulations. Announcing the settlement, Superintendent of Financial Services, Adrienne A. Harris, chastised EyeMed’s lack of regular risk assessments and secure access controls, which directly led to the major cyber breach, endangering sensitive consumer data. “It is critically important that consumers’ non-public information is kept safe from potential criminal activity, and DFS’s first-in-the-nation cybersecurity regulation requires New York-regulated entities to take that responsibility seriously,” stated Superintedent Harris. Consequently, EyeMed pledged to undertake significant remedial measures to bolster its data security practices.
EyeMed’s experiences serve as a cautionary tale for companies across all sectors. It underscores the importance of implementing stringent cybersecurity measures, conducting regular risk assessments, establishing secure access controls, and maintaining robust data retention and disposal protocols. In an era of growing digital dependence, vigilantly safeguarding sensitive customer data and constantly adapting to emerging cyber threats is more important than ever.